[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password change synchronization

punith punith skrev, on 20-02-2008 03:51:

I am doing authentication using OpenLDAP and I think it is best place to ask my problem.

Seem the right one to me :)

What I require is, I have to run a shell script when the user changes password.
ie Suppose that a user is changed his OpenLDAP pasword, I want to trigger a shell script which updates oracle login password.
Is it possible with Openldap?
If so, how and where to keep the shell script?

At my main site I use different shell scripts both for looking at the LDAP db and measuring different parameters and taking action on them, as well as looking at other factors (such as whether IMAP Maildir directories have been created for LDAP users) and taking action on those. I'm doing something similar to what you want and it's as well to point out that the site uses ppolicy for posixAccounts and I don't think I could do it without (can for Samba, but that's another matter), since it has the standard attribute pwdChangedTime.

1: So yes, it's possible to do this with OpenLDAP.
2: "How" is totally dependent on your shell scripting capabilities and experience. Basic scripting I've been able to do since day 1 of my Unix life more than 10 years ago, LDAP-specific scripting (e.g. using OpenLDAP tools, using HERE docs instead of writing to temporary files, etc.) I taught myself later by looking at what certain others had done, using my imagination and adapting. One of the people from whom I grabbed the basic idea years ago is Johan Vriesman (http://www.vriesman.tk/). I didn't grab what he was trying to do, just how he does it and twist that so it became sensible. But always look at what others are doing and how. For example sometimes I have to use bc and sed to do simple math for comparing integer attributes and it's as well to know how in a shell script.
3: Where to keep the scripts is totally up to you. Most of my scripts don't involve any privileged system users, but do involve knowing a privileged LDAP user's password. They can be run by anyone and kept anywhere. Many of the scripts are called from cron, so these users should have POSIX accounts, for the most part as mortals.



Tony Earnshaw
Email: tonni at hetnet dot nl